Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-digest-scheme
worley@ariadne.com (Dale R. Worley) Mon, 20 May 2019 01:16 UTC
Return-Path: <worley@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 034B7120019 for <sipcore@ietfa.amsl.com>; Sun, 19 May 2019 18:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.933
X-Spam-Level:
X-Spam-Status: No, score=-1.933 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcastmailservice.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIiDz-cthi2D for <sipcore@ietfa.amsl.com>; Sun, 19 May 2019 18:15:58 -0700 (PDT)
Received: from resqmta-ch2-04v.sys.comcast.net (resqmta-ch2-04v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29AD0120108 for <sipcore@ietf.org>; Sun, 19 May 2019 18:15:57 -0700 (PDT)
Received: from resomta-ch2-15v.sys.comcast.net ([69.252.207.111]) by resqmta-ch2-04v.sys.comcast.net with ESMTP id SWtZhc63sUTqrSWuChC1hH; Mon, 20 May 2019 01:15:56 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20180828_2048; t=1558314956; bh=UB5QIks2hTVP4F6UrJ8rvodXu3AFzzgpwnPWvEqb01U=; h=Received:Received:Received:Received:From:To:Subject:Date: Message-ID; b=WmoIQfzaAU6q740hnP/yO5LT7E5zRMiFbkvlaCZ3LE/iv+Mv/pXV98neelJlSn0RP l1/ph0x+7GlFQ/AHSffKsyjcoRk08RhAZ5S2L3eVtk09MTED8/ueObXce73aT7+sdT EHFmPjvrsh32bfZvd8FX0HSCVeKiYTJYDid07B6v05P/K+fkqrKiwZpWNS/twnsRkX mkQ3DU1CVhqes99haXHOGYYXCRqNEJsu6F8WWYNdVnEHbLTk79I+K9k3AVtZYi6Id6 ToTUtppM4ejZfira0itjcSATNN3d5gUEaNrvjR1h7r5KwXhH+WBovMWMsSP+EYve7A /bBqeZ2xOopEg==
Received: from hobgoblin.ariadne.com ([24.91.37.100]) by resomta-ch2-15v.sys.comcast.net with ESMTPA id SWuBhOgvrCDqZSWuChHDcT; Mon, 20 May 2019 01:15:56 +0000
X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgeduuddruddtjedggeeiucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhipdfqfgfvpdfpqffurfetoffkrfenuceurghilhhouhhtmecufedttdenucdnvehorghsthgrlhculdeftddtmdenucfjughrpefhvffujghssedttddttddttddtnecuhfhrohhmpeifohhrlhgvhiesrghrihgrughnvgdrtghomhculdffrghlvgcutfdrucghohhrlhgvhidmnecuffhomhgrihhnpehivghtfhdrohhrghenucfkphepvdegrdeluddrfeejrddutddtnecurfgrrhgrmhephhgvlhhopehhohgsghhosghlihhnrdgrrhhirggunhgvrdgtohhmpdhinhgvthepvdegrdeluddrfeejrddutddtpdhmrghilhhfrhhomhepfihorhhlvgihsegrlhhumhdrmhhithdrvgguuhdprhgtphhtthhopehrihhfrggrthdrihgvthhfsehgmhgrihhlrdgtohhmpdhrtghpthhtohepshhiphgtohhrvgesihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd
X-Xfinity-VMeta: sc=300;st=spam
Received: from hobgoblin.ariadne.com (hobgoblin.ariadne.com [127.0.0.1]) by hobgoblin.ariadne.com (8.14.7/8.14.7) with ESMTP id x4K1FtCU027480; Sun, 19 May 2019 21:15:55 -0400
Received: (from worley@localhost) by hobgoblin.ariadne.com (8.14.7/8.14.7/Submit) id x4K1FsV4027477; Sun, 19 May 2019 21:15:54 -0400
X-Authentication-Warning: hobgoblin.ariadne.com: worley set sender to worley@alum.mit.edu using -f
From: worley@ariadne.com
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: sipcore@ietf.org
In-Reply-To: <CAGL6epKK=4YCJhsP9DB_R5P3EMZpR14WxY07xMwWrz-hE0hB_Q@mail.gmail.com> (rifaat.ietf@gmail.com)
Sender: worley@ariadne.com
Date: Sun, 19 May 2019 21:15:54 -0400
Message-ID: <87d0keexit.fsf@hobgoblin.ariadne.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/ucSj6XbY_5mb8enZxtXi4TA5N-I>
Subject: Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-digest-scheme
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 01:16:00 -0000
Looking into this issue: > > 2) There is discussion "The IANA registry ... specifies the algorithms > > .... and specifies a priority for each algorithm." But I cannot find the > > word > > priority in the registry, nor in the sole reference in the registry, RFC > > 7616. Can you update this to point to whatever defines the priority? > > > > > It is specified in section 3.7: > https://tools.ietf.org/html/rfc7616#section-3.7 > > But I think the wording in the draft is confusing; I will try to clarify > that. Looking at section 2.1 of draft-ietf-sipcore-digest-scheme-02, it reads 2.1. Hash Algorithms The Digest scheme has an 'algorithm' parameter that specifies the algorithm to be used to compute the digest of the response. The IANA registry named "HTTP Digest Hash Algorithms" specifies the algorithms that correspond to 'algorithm' values, and specifies a priority for each algorithm. [RFC3261] specifies only one algorithm, MD5, which is used by default. This document extends [RFC3261] to allow use of any registered algorithm. The priority of the algorithm defines its usage preference. UAs SHOULD prefer algorithms with higher priorities. Note that [RFC7616] defines a -sess variant for each algorithm; the -sess variants are not used with SIP. A nit is that the registry is named "Hash Algorithms for HTTP Digest Authentication". RFC 7616 is not referenced here as establishing the priorities, but rather the IANA registry is referenced. The critical text is from RFC 7616, which establishes the preference ordering of algorithms not globally, but based on the authentication challenge in a particular challenge/response transaction: The server MUST add these challenges to the response in order of preference, starting with the most preferred algorithm, followed by the less preferred algorithm. [...] When the client receives the first challenge, it SHOULD use the first challenge it supports, unless a local policy dictates otherwise. This suggests the wording could be improved along thse lines (changes marked with "|"): 2.1. Hash Algorithms The Digest scheme has an 'algorithm' parameter that specifies the algorithm to be used to compute the digest of the response. The IANA | registry named "Hash Algorithms for HTTP Digest Authentication" | specifies the algorithms | that correspond to 'algorithm' values. [RFC3261] specifies only one algorithm, MD5, which is used by default. This document extends [RFC3261] to allow use of any registered algorithm. | [RFC7616] specifies the usage preference when a response | contains multiple challenges specifying different algorithms. That | specification is not changed by this document. Note that [RFC7616] defines a -sess variant for each algorithm; the -sess variants are not used with SIP. And there is this issue: > 1) When is the binding time of "the contents of the Hash Algorithms for > HTTP Digest Authentication registry"? That is, if a new algorithm is > added to the registry, does it automatically become authorized for use > in SIP? > > My impression is that the answer is Yes. Perhaps I am being too fussy about this issue. But I would like to ensure that nobody mistakes the intention of this document. I think the following two wording changes would be more than enough to avoid any problems: 1. Introduction This document updates the Digest Access Authentication scheme used by SIP to support the list of digest algorithms defined in the "Hash | Algorithms for HTTP Digest Authentication" registry (defined by | [RFC7616]) as it is updated from time to time. 2.1. Hash Algorithms [RFC3261] specifies only one algorithm, MD5, which is used by default. This document extends [RFC3261] to allow use of any | algorithm that is registered at the time of use. Dale
- [sipcore] Resend: WGLC: draft-ietf-sipcore-digest… Dale R. Worley
- Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-di… Rifaat Shekh-Yusef
- Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-di… Christer Holmberg
- Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-di… Dale R. Worley
- Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-di… Rifaat Shekh-Yusef
- Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-di… Dale R. Worley
- Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-di… Dale R. Worley
- Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-di… Rifaat Shekh-Yusef